Iran attacked with data-wiping malware, report says

The Iranian team that handles cybersecurity threats reported that the country's computer systems were the target of malware capable of wiping disk partitions clean of data.

The MAHER Center of Iranian National Computer Emergency Response Team reported the attack on Sunday, but did not list the targets. The organization did describe the attack as "targeted," meaning it was aimed at systems of specific organizations.

Iran has been the target of cyber-sabotage malware before. In 2010, the Stuxnet worm attacked the country's nuclear facilities, damaging centrifuges used to enrich uranium. The New York Times reported in June that the attack was a joint effort of the U.S. and Israel.

The latest attack is far less sophisticated than Stuxnet. The malware was used in an "extremely simplistic" assault in which the attacker wrote a batch program and then used a BAT2EXE tool to turn it into a file that could run on a Windows Preinstallation Environment (PE), Roel Schouwenberg, a security expert with Kaspersky Lab, wrote on Monday on the company's SecureList blog.

Batch programs, also called BAT files, are used to run repetitive tasks, such as backups. Windows PE is a lightweight version of the operating system that is used to deploy Windows on workstations and servers and to troubleshoot the OS when it is offline.

[See also:Ã'Â How to plan an industrial cyber-sabotage operation -- A look at Stuxnet]

The destructive payload within the BAT file will try to delete all files in drives D through I, Schouwenberg said. It will also try to do the same on the infected desktop.

"Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by anti-virus software," the Iranian CERT said.

The malware seemed designed to go after older systems, implying that the targets were computers used to do mundane activities like operating as a server or controller, said Murray Jennex, an associate professor at San Diego State University and an expert in international information systems.

The attack also could have been aimed at PCs used by an engineer in the field or systems in educational facilities, Jennex said. But he said he didn't believe the malware was sophisticated enough to affect Iran's main research support systems.

"However, I wouldn't be quick to say Iran is being attacked as the report says nothing about tracing the attack and it would not surprise me if this is an internal attack, either by dissidents or to take some of the [cyberespionage] heat off of Iran," Jennex told CSO Online.

In its code analysis, Kaspersky said the malware, dubbed Trojan.Win32.Maya.a, tries to cover its tracks by running check disk, a command on Windows used to fix file system errors or check on the status of hard disks.

"I assume the attacker is trying to make the loss of all files look like a software or hardware failure," Schouwenberg said.

Windows PCs running 64-bit versions of the OS will receive a warning if the malware tries to run. That's because the payload includes a 16-bit executable called SLEEP.exe, Schouwenberg said. Because 16-bit files won't run on 64-bit versions of Windows, trying to do so launches a warning notifying the user that a program won't start or run.

There's nothing in the code linking the malware to other targeted cyberattacks on Iran. Besides Stuxnet, security experts discovered this year the Stuxnet cousin Flame that tried to steal data primarily from computer systems in Iran and Palestine.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | Malwaresecuritylegalsoftwaredata protectionmalwarecybercrimekaspersky labiran

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts